CVE-2026-46725 PUBLISHED

Remote Code Execution in extension "Content Element Selector" (ceselector)

Assigner: TYPO3
Reserved: 16.05.2026 Published: 19.05.2026 Updated: 19.05.2026

The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	TYPO3
Product	Extension "Content Element Selector"
Versions	Default: unaffected affected from 6.0.0 to 6.0.1 (excl.) affected from 5.0.0 to 5.0.1 (excl.) affected from 4.0.0 to 4.0.2 (excl.) affected from 0 to 3.0.3 (excl.)

Credits

Torben Hansen reporter
Matthias Mächler remediation developer

References

https://typo3.org/security/advisory/typo3-ext-sa-2026-013

Problem Types

CWE-502 Deserialization of Untrusted Data CWE